2021, Allison Sheridan
NosillaCast Apple Podcast

Edit Transcript Remove Highlighting Add Audio File
Export... ?


[0:00] Music.

[0:06] With an emphasis like Apple bias. Today is Sunday, January 8th, 2023, and this is show number 922.
And my voice is almost completely back and I'm hoping it lasts throughout the show.
Speaking of that, we've only got one more show to do before Steve and I head off to Antarctica.
While we're gone, Bart Bushotts and Alistair Jenks will be in charge of the show. So we will not lose our streak of, what is it, coming up on 18 years.
I really truly need you to give them content.
Now, if you're certain, you're already certain you're gonna be providing something, please let me know right away so that we know to count on it.
We leave on the 17th of January, so you've pretty much got only one week from the day I'm recording this to get something into me so I can give it to them.
I will not be very available, maybe a little bit available for the first week, like a text message here and there, but I won't be able to do anything in the second week. So please get those recordings in.
This is a huge ask for them to do this favor for us and I hope you'll make it easier for them.

Ccatp #757 Bart Busschots On Pbs 143 — Shell Script Basics

[1:09] In this week's episode of Programming by Stealth, Bart Bouchotte starts building out one more tool in our toolbox, shell scripts.
Bart starts with the basics, explaining how to tell our little scripts which shell to run using this shebang line, which is just fun to say.
He talks about the structure of shell scripts, commenting, assigning and using variables, and how to write strings without having to escape every space and unusual character.
Now, throughout the installment, Bart refers back to things we learned in Taming the Terminal, which is a podcast we did a long time ago.
If you haven't listened to or read that series, you can download the book that Helma helped us to produce from all the content that we made using the Apple Bookstore. You can download that book or you can access it in beautiful HTML.
Both of these have the audio of the podcast embedded within and you can find even more formats if you go to slash TTT book.
And of course, you can listen to this episode of Programming by Stealth, number 143, in your podcatcher of choice.

Under My Roof Screencastsonline Tutorial

[2:06] My favorite tutorials to do for Screencast Online are the ones for software that I've been using for a long time that solve real problems for me. This week my tutorial on the awesome tool Under My Roof was published on Screencast Online.
Under My Roof is available from Binary Formations.
The purpose of Under My Roof is to help you keep track of everything within your home. Now it used to be called Home Inventory, but they expanded it to do so much more.
Under My Roof helps you store information about your stuff, so you can store the make, model number, serial number, receipts, and other important information about your belongings.
But you can keep track of warranty status for your items too, and store photos of your items which is essential in finding an insurance claim.
Sadly, I found out about that one first hand. Speaking of insurance, you can keep track of insurance policies and coverage information for your home in Under My Roof.
You can keep track of mortgage or rental documents for your home, and get notifications on regular maintenance needs.
You can even organize home improvement projects in Under My Roof.
If you're a collector, you'll find the features of Under My Roof an invaluable way to keep track of valuations and certificates of authenticity and to group your collections.
When it comes time to move, Under My Roof even helps you by letting you record what you put in each box with photos and when you arrive in your new home, you'll be able to find that spaghetti strainer you need on the first night.
If you store a box away in a closet to be unpacked later, you can even record that.

[3:29] As you can tell, I'm a huge fan of Under My Roof, and it was really fun to make this tutorial. I hope you'll check out the free 7-day trial of ScreenCastsOnline at or by subscribing to the service.

Tiny Tip — Firefox Developer Edition For Testing Responsive Design (And Regular Firefox And Safari)

[3:43] A few times over the past couple of years I've mentioned an app called Sysy that Helma from the Netherlands recommended to me. Sysy is a very slick tool for people who are developing
websites and web apps. The main problem it solved for Helma and me is that it shows you what your web app or site will look like on a whole bunch of different platforms at once. You might make a site that looks great on your Mac, but squished onto an iPhone SE it's not useful at all.
Sysy can show you the site on the SE and a Galaxy Tab and a Portrait Mode iPad and more.
Homan discovered Sysy in Setapp and turned me on to it. I kept meaning to do a review, but it was a pretty high-end tool and had so much more built-in capability that I didn't use or understand that I never did a review.
A few months ago, we discovered that Sysy had been removed from Setapp and we were both super sad.
I looked into buying Sysy, but it's a subscription model with the least expensive pricing being $12 a month.
For how little I actually code, I simply couldn't justify the price.
If you do web development for a living, I highly recommend you check out Sysy and see if it can help you in your work because it does a ton of stuff I don't even understand. It just wasn't right for me, but I was sad to lose the responsive design mode that I used in Sysy.

[4:54] This week, Helma discovered something wonderful. The lovely people at Mozilla have come out with a developer edition of Firefox that includes tools to view your sites and adjust the responsive design on a whole bunch of different platforms.
Of course, since it's from Mozilla, it's free.
With the Firefox Developer Edition, you can navigate to the site you want to test and then in the toolbar on the right side is a wrench and under that is an option for responsive design mode.
Or you can use the keystroke option of option command M.
Immediately, the layout of the website you've navigated to will change to reflect one of the screen sizes.
Mine defaulted to an iPhone 11 Pro, but there's a default dropdown to show many more options. It looks like the list isn't super up to date because it maxes out on the iPhone 13 Pro.
It includes the Galaxy Note 20, Galaxy 10, the 10 Plus, it's got pixels, it's got kindle fires, it's full of options.
At the bottom of the dropdown, it even has an option to edit this list and from there, a grid of lots more devices.
You can check and uncheck them to make your dropdown list show just the devices you'd like to see.
If you don't see a device you really need in the grid, you could create it yourself with the create custom option.
You'll probably want to explore the new features to help you master the CSS grid, find inactive CSS or work more quickly with their fonts panel and more.

[6:13] Now I'm delighted that I have an easy way to get the one feature I used in Sysy and for the glorious price of free.

[6:20] Now, after I wrote up this glorious discovery, I tooted it out on Mastodon and a bunch of other places.
Scottish Wildcat tooted me back with this, quote, You don't need the developer edition for this.
As far as I know, it's available in all versions of Firefox.
Chrome and Safari have very similar tools too.

[6:40] Couldn't believe it. So I jumped into regular Firefox and sure enough, under the Tools menu in Browser Tools is responsive design mode, which brings up the exact same thing I was so excited about in the developer edition of Firefox.
Here, I thought the helmet and I had made fire.

[6:56] I feel silly, but I much rather feel silly now than never know that the tools were right there.
In Safari, you have to do a smidge more work. This was work I'd already done. Open Safari settings or preferences if you're on pre-venture or macOS, select the advanced tab, and at the bottom, you'll see a checkbox to show the Develop menu in the menu bar.
Once you close Settings or Preferences, depending on the version you're on, for Safari, you'll now see the Develop menu between Bookmarks and Window.
It's a very long menu with lots of cool stuff in it, but I think it's the seventh item down says Responsive Design Mode.
It can also be triggered with Control-Command-R.
You'll be rewarded with little icons for the major Apple products, but only up to the iPhone 8 Plus, so I guess Firefox isn't actually that far behind.
In typical Apple fashion, It doesn't include any Android tablets or phones, but it does have three screen resolutions you can test.
Unlike Firefox, you can't rotate to landscape mode either, so Firefox is a lot better.
It's sweet that Apple tried, but I'll be using regular Firefox for testing responsive design of my web apps and websites.
I'm so glad that Scottish Wildcat corrected me, especially before I talked about it on the podcast.
By the way, he also goes by Callum in many of the online forums for the podcast.

[8:14] Wait, wait, this just in, this is the value of having the live show. When I said that Safari didn't let you switch to portrait mode, I was wrong.
Alistair pointed out that if you click on the little icons for the iPad and the iPhone, whatever you're looking at, it actually switches to portrait mode, but it has three modes. It's got landscape, portrait, and then it's got a split mode.
I'm not sure that split mode's really useful because I have it set up for the iPad Pro 12.9 and when I go into split mode, it's this really tall thin and that's not what it would look like on a 12.9 inch iPad Pro I don't think but anyway good to know,
Actually was bill who said that it the third one was split mode because I was very confused about what that weird one looked like so anyway unjustly accused you can look at landscape and portrait mode in.

[9:02] Safaris developer tools in the responsive design mode Wait, wait this just in Alistair just corrected me yet again.
It turns out as you keep clicking on the iPads, it's cycling through all of the different split modes that an iPad can show you. So that's why it was real tall and skinny.
He says that it's seven total clicks to go through all of the different modes.
I am done correcting myself. This is it. This wasn't that interesting of a story, but I couldn't resist telling you one more correction.

Mermaid Diagrams Won’T Replace Diagrams.Net For Me, But It Sure Is Fun

[9:34] Mermaid diagrams won't replace as my diagramming tool of choice, but they're still pretty cool.
I've been having a lot of fun lately with this tool called Mermaid for making diagrams. I've hesitated about whether to tell you about Mermaid diagram for two reasons.
One reason for my hesitance is that they're a pretty nerdy way to make diagrams that's a lot harder than using my beloved drag and drop
The other reason is that Bart already taught us a bit about Mermaid in programming by stealth installment 141. Now Bart's instructions were how to make something called UML class diagrams in Mermaid, and these are made specifically for programming.
We'll be using UML class diagrams in the project to port xkpasswd to a modern JavaScript version. His instructions did everything from the command line in the terminal, which is great for a programming audience,
but I wanted to see if I could teach Mermaid diagrams in a way where normal people could do it.
I've discovered there's a far less nerdy way to create Mermaid diagrams that I might talk you into trying, and an example of a type of diagram you might want to make.
A simple flow chart. I first learned about mermaid diagrams back when I reviewed the note-taking app Joplin a year or two ago.
In my description about mermaid diagrams, I said, I learned just enough to be impressed and amazed that mermaid exists and then practiced a little bit inside Joplin and learned that it was too nerdy even for me.

[10:55] Well, I pride myself on becoming nerdier every year, and after having Bart walk us through the UML class diagrams example, I got the itch to try them again, and they're simpler than I realized.
Let's talk about why Mermaid is nerdy. Instead of dragging and dropping boxes and lines onto a canvas through a graphical user interface, you create diagrams using only a plain text file.
For example, let's say we're drawing a flowchart, and you want a rectangular box with text in it. Type the text between square brackets.
If you want the box to have rounded corners, use round brackets instead.
Want to line with an arrowhead between the two boxes? Simply type two dashes and a right angle bracket.

[11:35] That's not too hard, is it? Well, let's talk about what problem it solves to use Mermaid Text files for diagramming instead of a graphical user interface.
There are a couple of advantages that may or may not be compelling for you, but with With any luck, you'll enjoy learning about them even if you never use them in anger yourself.
Plain text files are easier to share between people who need to collaborate.
If I create a nifty diagram in a GUI interface, I'll usually export it to an image file before I share it with someone.
There's no way for you to collaborate with me and edit that graphic file.
To collaborate, I'd have to convince you to get an account on the same service I'm using, and then the service would have to support sharing and version control, and it's gets messy. Using a text file for collaboration means you and I can use,
any text editor we want and any file sharing service to do the collaboration.

[12:26] In programming by stealth we've learned about using something called version control for our code. That lets people keep copies of the same code all over the place on their own machines and online with services like GitHub or Bitbucket. When one person changes the code the changes can be pushed around to the other copies,
and yet the changes are tracked.
So if mistakes are made, or should I say when mistakes are made, they can actually be reversed.
If I create a diagram in a text file, we can put in a version control and collaborate even more easily.
That's kind of nerd level stuff though, so let's get back to our mainstream needs.
If a mermaid diagram is well written, it could actually be an accessible form of the graphical image.
A PNG image file embedded on a website would be pretty hard to describe fully in alt text. Having a link to the mermaid text file might be a good alternative.
Finally, text files are way, way, way, way, way smaller than pretty much any other file type.
The diagram I made for the Programming by Stealth project has seven boxes on it. It has cute little icons in it.
Some boxes around, some are square, they're different colors. Now I have solid and dashed lines.
The entire file is one kilobyte.
Not joking, one whole kilobyte.

[13:40] Well, in programming by stealth, Bart taught us how to install mermaid using something called node.js all from the command line.
This adds a giant folder of modules to the folder where you create the diagrams. He taught us to create the text file for the diagram in any text editor, but then we had to run mermaid from the command line.
So we had to tell mermaid where to put the input text file, what to call the output text or image file, and it takes a few seconds to run and then we are able to double click on the PNG to open it to see if it looks like what we're hoping for.

[14:09] All of this is perfectly normal in programming world. It works, but to be honest, it's a tedious process.
I was delighted to find out that there are text editors out there that will allow you to create your diagrams and see them changing in real time as you're typing. Mermaid has a terrific user manual, and one section is all about tools that have integrated mermaid diagrams.
There are pages and pages of tools, but I wanted to focus specifically on text editors.
A few of the tools listed have native support for Mermaid, meaning you don't need to install any plugins or extensions.
Apps we've mentioned on the Nocilicaas before that include native support for Mermaid include Joplin as I mentioned earlier, Notion, and Al's favorite, Obsidian.
They all have free versions. There's also a website called MermaidLive where you can create your masterpiece diagram and see it created automatically right in front of you.
The MermaidLive editor is a great place to learn the tool, but as my father would have it's ugly as sin. Pick any one of these tools and you can play along with this very basic introductory lesson on making mermaid diagrams.

[15:12] Okay, enough about the tools, let's get in the meat of how to write in Mermaid to create diagrams. The documentation on Mermaid, I've said it once, I'm going to keep saying it, it is superb.
They start you out really slow and they just add on little tiny bits, more and more concepts to help you enhance your diagrams. So as an experiment here, let's build up a simple flowchart and see how far we can get.
Let's make a diagram to explain the different shows at the Podfeed Podcast. We'll create a box at the top that says Podfeed Podcast, then three boxes below that for No silica, chit chat across the pond, and taming the terminal.
Below chit chat across the pond we need two more boxes for chit chat across the pond light and programming by stealth. Once we get those basic blocks in place we can start having some fun styling our diagrams.

[15:55] The first thing to type in your text editor is the type of diagram you want. Mermaid can create a lot of different diagram types including flow charts,
Gantt, pie charts, mind maps, and more. We need to tell Mermaid we're going to create a flow chart and we need to tell it whether we want to go left right,
or we want to go top down.
Since we want ours top down, we simply type in our text editor, flowchart space TD for top down.
All right, we want pod feed podcasts in a square box, or I should say a rectangular box at the top. So we'll put pod feed podcasts between square brackets.
Now every node you create in a diagram has to have an ID, but we can make that ID any name we want, and it can't have any spaces in it.
I like short names because they're easier to type. So I'll call this first node PP. There's the added bonus that saying PP out loud makes me giggle because I have the maturity of a seven-year-old.
Now we get to put the name PP, or we need to, I should say, put the name PP cuddled up against the node name in its brackets.
So putting all this information together, we write PP, square bracket, pod feed podcast, close square bracket.

[16:59] That's not too bad, right? Now, as soon as I enter those two simple lines of text, the one that says flowchart TD and the one that says PP, pod feed podcast, I am rewarded with a rectangular box that says, pod feed podcast inside it.
All right, that didn't hurt too much, did it?
If I type NC, square bracket, no cell cast, square bracket on a new line, I get a second node, but it gets drawn side by side with the first pod feed podcast node.
That's because I haven't yet told Mermaid about any relationship between the two notes.
On the second line, before it says NC, I can put dash dash angle bracket and this instantly drops the no silica down and we have a lovely diagram with a pod feed podcast in a box with an arrow
line going down to the no silica in a box below it. Works perfectly. Now think about that, I haven't hardly typed anything and I've got this part of the diagram done. In literally three lines of text,
we've drawn a diagram. That felt really powerful to me when I did it the first time.

[17:56] Okay, so we have pod feed podcasts above no silica with an arrow going down, but we need three arrows going down to three boxes.
Since all of these nodes should be below pod feed podcasts, we type them on the same line as the no silica node with an ampersand between them.
So the text says arrow no silica, ampersand chit chat across the pond, ampersand taming the terminal.
Now we see three podcasts in rectangular boxes below pod feed podcasts with lovely arrows going to them.
Now it's starting to look pretty good, but the boxes are getting super wide because Mermaid doesn't automatically word wrap text, so it'll just keep growing wider and wider and wider the more you type into the box. We need to add some line breaks in our nodes.
In HTML, the way you insert a line break is with the text BR between two angle brackets, and we can actually use that same syntax within mermaid diagrams.
With some well-placed breaks, the diagram looks much better now, but the text in Mermaid it is definitely starting to look very messy.
Building it up piece by piece like this helps us to understand it, but at first glance, it kinda looks like a cat just walked across your keyboard.
We're gonna clean it up in a moment to make it more readable.

[19:02] For our final piece of content, we wanna add chitchat across the pond light and programming by stealth below chitchat across the pond with arrows going down to them.
Now we could, if we hated ourselves, embed those last two blocks in the same line we just created with the no silica and chitchat across the pond, but there's an easier way.
Once you've created a node, you can just reference it again by its ID name, like NC or TTT for taming the terminal.
In fact, as I was writing this up, I did some experiments, and I learned that we can make everything look much simpler.

[19:35] Think of each node as a variable you've assigned. The variable name NC has a value of no silica, the variable of CCATPL has the value of chit-chat across the pond light.

[19:48] We could define each of these variable nodes on their own simple looking line with no information about the relationship, so it's not going to look so messy.
Then later in the file we can rewrite the relationships using only those variable names and it's going to look much cleaner. So I created a set of node definitions that just says pp, square bracket, pod feed, podcast.
Next line says nc, square bracket, no silica, I did all of them all in a row.
Now the beginning relationships are easy and clean to read.

[20:17] PP on one line and on the next line I put my arrow symbol and I can write NC ampersand CC ATP ampersand TTT and I keep going through the diagram.
Now it's a lot easier to read and it looks like way fewer cat steps went on that keyboard.
If you look at the I've got a lot of screenshots in the show notes and if you look at these I hope you'll experience the joy I felt as I learned about more how to do this and I I think that's why it's so fun.
The discovery of what I could do with this was really cool. So we now have our full relationship diagram created in just a few lines of text, But to be honest, it's kind of boring.
We can add some styling to the boxes for our nodes. To each individual node we could add text to define the text color, the fill color, and more, but there's a cleaner way of doing it on every node. We can define classes with that information and then add the class names to all,
of the nodes that we need to have that change to those colors. The way you define a class is with the word class-def, followed by the name you choose for the class definition and then the colors.
So let's define a class called Top.
We'll make the text white with the fill color red.
We write class def top color colon white comma fill colon red. Very simple.
Then we assign the class Top to our top node pp by writing class pptop.
I know this is starting to get a little tangled probably if you're hearing it, but again good graphics in the show notes and all the text is there too.
But basically all I did was define a class and then assign that class to one of the boxes.

[21:47] So those two lines can sit anywhere in your diagram of text that you like. I prefer them at the bottom.
The advantage of assigning classes is an obvious when you only have one node with the class, like top, but now that we know how to create and assign classes, we can assign the same color and fill to the rest of the nodes.
I added one more class called podcasts and declared that they should all be color white, the text color, and filled with blue.
I could then add the class to multiple nodes in one line by typing class followed by each node name separated by comma and then the name of the class def.
So now my text file has three sections, a listing of all the variable names for each node, three lines that create the diagram with the arrows, and the section that defines the classes and assigns those attributes to the nodes.
My diagram now has pod feed podcasts in red with white letters at the top, and all of the other nodes are blue with white text. It's rather pretty now.
Now I was pretty happy with the diagram, but I'd like to have a way to maybe make the beller beanie shows taming the terminal and programming by stealth have a different shape.
I mentioned at the beginning that putting the text of the node inside square brackets makes sharp cornered rectangles and round brackets made them rounded rectangles.
Turns out there's a lot more shapes you can easily designate by changing those brackets.

[23:02] Now I don't bother remembering how to do fancy things like this in Mermaid because I can always refer to that terrific user manual for Mermaid. In the left sidebar you can see different types
of diagrams you can make and if you select flowchart now the right sidebar shows you the different sections. I open this as a reference so now I can select node shapes to find a better
shape. I wanted to find a shape that looked nerdy so I could assign it to taming the terminal and programming by stealth. One of the options is called a subroutine box which is just a rectangle with an extra vertical line on the right and left. You make those with double square brackets around your node. That was,
a little bit nerdy. But ooh how about a box that has kind of pointy edges on either side like an elongated hexagon. They call this a code box and you make that using two squirrely brackets on either side of your node. I think green Green would be a nice color for them.
I created another class called Nerds and I assigned it to the Taming the Terminal and the Programming My Stealth podcast.
Instantly I had green nerdy boxes for the two nerd podcasts. One thing that can make your node stand out even more is to add font awesome icons.
While this is possible, the developer of the app or service you're using to create your mermaid diagrams has to enable it, and Mermaid only supports font awesome 4 and 5, not version 6.
Mermaid Diagrams from the command line does let you put the cute little font-awesome icons in it, but none of the easy-to-use text editors I tested support it, so sadly we'll have to abandoned it for this lesson.

[24:31] Now there's a lot more you can do with mermaid diagrams, but let's just do one more fun thing. Let's change the way the arrowed line looks that goes to our two nerd podcast nodes.
We've been using the syntax dash dash angle bracket to designate a line with an arrowhead. We can make that dotted line if we just stick a dot between the two dashes instead.
So it's dash dot dash angle bracket.

[24:55] Now we have to rearrange relationship lines a smidge to get the dotted line to go just from PP to TTT and that makes the text a tad longer but it was still super readable.
We could make the line designation even more interesting by adding some text to the dotted lines for the nerd podcast. Instead of –dot –angle bracket, we can interrupt that by putting text between two dots. So I put in –dot nerds dot dash and then the angle bracket.
This was looking snazzy, but I wasn't happy with how the lines curved on my diagram by default. I found a section in the manual on styling line curves.
Well, I got a warning here. This is going to look like the nerdiest part of your diagram, and I don't even understand all of the syntax. But to change the default styling of your lines
in mermaid, you put an initialization line at the top in which you can describe the default curve shape. I tried out the different options from the manual. Any linear shape looked best to me.
Instead of wide swoopy curves, the diagram now has diagonal lines that sharply turn downward, and the word nerd sits nicely at the corner.

[26:01] I had to stop here because I could keep tweaking this diagram all day and learning more and more cool things I could do with Mermaid.
My final masterpiece is a grand total of 26 lines, and it's actually human readable.
Now you can do a whole lot more with Mermaid than I've described here, but as I said, I had to stop. Hopefully what I've explained tickles your interest to go play with it and see what it can do to help you make fun, interesting diagrams in plain text.

[26:28] Well, I tried to get off easy and just wrap up this article thinking you might not notice. I didn't tell you what you can actually do with a mermaid diagram after you create it.
But it bothered me that I didn't know the answer to that question myself. You can see your pretty diagrams in your text editor of choice, but how do you share it with someone else?
Ideally, I'd like to be able to send someone a PNG image file.
Well, if you're a nerd, there's a lot of great options. GitLab and GitHub have integrated mermaid diagrams into their services. This makes a lot of sense,
because I explained having version control on plain text files is the whole reason for being for these services. Version control on image files isn't as practical because you have to keep recreating and replacing the images. Instead, since mermaid diagrams are just text files,
they're purpose-built to work with Git. But the whole point of this article was to teach the less nerdy amongst us how to make mermaid diagrams. So we need a simpler, muggle-level way to actually
publish a graphic image of a mermaid diagram. The obvious solution is to simply export the graphic image from one of the text editor tools I mentioned. Or so you would think. Let's talk
through a few of the options I tried. Now Obsidian, Al's favorite, is a bit weird for my taste. It has this concept of vaults and I actually ended up in a condition where I couldn't open any of my files.
But when it was in a good mood, it worked well to create mermaid diagrams and view them graphically.

[27:52] While Obsidian won't let you export as a PNG, it will let you export to PDF. If you open the PDF in Preview, you can then save it as a PNG.
From there, you can then crop the giant white canvas Obsidian gives you in the PDF to down to just the diagram.
While that's an annoying two-step process, the good news is that the resolution is really good so you can expand it to be pretty big.
The one I created came out 1472 by 945 pixels and it looked beautiful. Notion worked well too to create mermaid diagrams and even has a specific integration for them.
But for the life of me, I could not find any way whatsoever to export the image file in any format at all.
If anyone can figure out how the heck to get mermaid diagrams out of Notion, I'm all ears. Notion is marketed as a collaboration tool, so maybe mermaid diagrams captive inside the tool could still be useful for teams. I prefer tools that let you import and export data.

[28:51] Now Joplin, like Obsidian, allows you to export PDFs, so we have to do the same dance to save as a PNG and then crop a giant white canvas down to that image. Again, the good news is that the
resulting image was pretty high resolution, so this method does work. Still weird not just to be able to export an image file, but that workaround does give the desired image size. Now, nerds use
a tool called VS Code or Visual Studio Code written by Microsoft, and it actually works quite well for creating mermaid diagrams, and it's free, and you can use it even if you're not a self-proclaimed nerd.
That is, if you install a plugin for visualization. The one I was using that nicely rendered my Markdown text worked perfectly.

[29:30] Guess what? I couldn't figure out how to export from VS Code. I tested a few more plugins that were supposed to allow the user to export the graphic, but I couldn't get them to work.
Worse they disabled the Markdown rendering plugin I was using originally. I ended up messing all my plugins up and luckily I opened it a few days later and and it was all fixed again, so I'm afraid to touch that again.
So VS code export was not successful. Now for a diversion that will eventually answer the question of how you can easily export mermaid diagrams to a PNG.
As I was fussing around with all of this, I posted a question on Mastodon, I tutored it, and I asked, what do people actually do with mermaid diagrams if you can't export them anywhere?
It resulted in a fun new friendship with a gentleman named Ed Ross.
Ed and I exchanged around 20 messages about mermaid, and we did a whole bunch of experiments together.
The funny part is that Ed had never seen a mermaid diagram before, but he started, before we started talking, but he quickly descended into my madness with me.
He learned them on the fly as we were chatting, and he ended up down a whole new path. Now, Ed decided to try to use ChatGPT to create mermaid diagrams.
I know, this doesn't have anything to do with how to export them, but it was so much fun. In case you don't know about it, ChatGPT is an open AI tool that allows you to ask questions in text, and using its dataset from scraping all openly accessible data on the web, it develops an answer.

[30:54] Chat GPT is often wrong because humans are often wrong and humans have written the content in its dataset.
But Chat GPT can be a useful tool if you know how to vet the information it provides you.
For example, Ed asked it to create a mermaid diagram to show the relationships of the Simpsons family. Of course he did.
And it created a correct representation.
Now I tried to replicate Ed's experiment, but the output from my chat GPT query returned the wrong syntax for the mermaid diagram.
It used two dashes instead of three to draw the lines, so the diagram basically just threw an error until I fixed it.
Now my second attempt was to ask chat GPT to create a mermaid diagram demonstrating the relationship between the three branches of the US government.
Not only was the diagram correct, but the paragraph of text that came along with it was also correct.
Like I said, it's very important to vet you get out of chat GPT.

[31:48] So anyway, while Ed and I had fun playing with chat GPT and making mermaid diagrams, Ed suggested I go back and give the Mermaid Live editor another try.
You may remember at the start of this article I said I tried it but it was ugly as sin. I had also tried to get it to export an image file, but it didn't work when I tried it.
On Ed's advice, I switched from Safari to Microsoft Edge, which is a Chromium browser, and then the export function did work to save a PNG.
I got a swan I tried that, but the evidence does not support me. Anyway, you'd think I would declare victory at this point because I did technically get a PNG on export out of the Live Mermaid Editor, but it was wee tiny and barely readable.
It was super fuzzy. It was terrible. Mermaid Live Editor does provide a scaling option for PNGs where you can set it to a specific width or height, but it does not work intelligently at all.
I changed the width to 2000 pixels wide, but instead of enlarging the PNG, it enlarged the white canvas background effectively shrinking the PNG even smaller.

[32:48] I was really feeling like mermaid diagrams were just mocking me at this point. How does anyone export a PNG in one darn step from anything?
Ed didn't give up on me and he suggested I try the SVG export option from the Mermaid Live Editor.
SVG stands for Scalable Vector Graphic, which is an ideal format because if you get one of these, you can scale vectors to any size you like.
You do have to use a vector editor and then save it to a PNG, but it could give you the best image quality possible.
I tried the SVG export button in the Mermaid Live Editor, and then I tried to open the file in Affinity Designer, my favorite vector editor.
The resulting graphic was a bunch of solid black boxes. They were the right shapes and the right sizes, but they were solid black.
I opened up the little thing that shows you all the layers and everything was black. I was baffled by this.
Seeing it was some misunderstanding between standards for SVG definitions, I tried opening it in the very good and free VectorNator application, but again, I got the same black boxes.

[33:49] By this time any sane person would have given up, but I'm like a dog with a bone when I can see a solution just outside of my grasp.
There had to be a good way to export mermaid diagrams as high-quality PNGs. I posted the problem in Slack, and Alistair Jenks had a very interesting idea.
He suggested maybe the SVG was actually okay. He suggested as a test that I just drag the SVG into my browser window.
He said if the file wasn't damaged in some way, the browser should open the graphic. You can't double click and open it, by the way, you have to drag it.
Sure enough, the diagram opened in all of its glory right there in my browser. I used command plus to increase the size of the graphic and then I just took a darn screenshot of the browser window.
It's inelegant, but for a relatively small and uncomplicated diagram, it finally worked.
I said at the beginning that Mermaid diagrams won't take the place of my beloved Then I discovered that has support for mermaid diagrams.
It's not hard to make them in, but it's not at all obvious how to do it. Under the arrange menu, you'll find an option to insert, and at the bottom of the menu you'll see an advanced menu, and in that menu you'll find mermaid. It's only one click to get there,
but I'm sure I'll have to look it up every time I want to do it.

[35:07] This opens a little text field, and I mean little, it's not very big to work in, where you can type or paste your code. When you hit OK, you'll see your lovely diagram.
To edit the diagram, simply double-click on the image in, and you get the text box where you can change the text, and when you hit apply, you'll see your changes. Text boxy is pretty,
small, like I said, so I'm not sure I'd want to do my initial creation of a mermaid diagram in, but it does work for small edits. There's a huge advantage to rendering your mermaid diagrams in
They're vector-based diagrams. That means when you choose File, Export, choose PNG, you can type in a scaling factor, the PNG is actually scaled perfectly.
Finally, I have come full circle from my favorite diagramming tool to my favorite diagramming tool.
Not only that, I started thinking.'s file format is XML, which is what?
A plain text format. So the mermaid diagrams I create within can be put in version control.
Then that got me to thinking, if all files are in text-based XML format, could I create my diagrams with the native tools and use Git to do version control on them?

[36:17] Well, that's a thought for another day. The bottom line is that I was hoping to show you how fun it is to make diagrams using Mermaid, and that even for the non-super geeks, it can be fun and pretty easy.
I'm pretty sure that in the end, by giving you 12 different ways to not successfully expert the diagrams, I may have turned you off from the whole idea, but maybe you can find one of those ways that brings you joy.

Support The Show

[36:39] Way back in December, Russ Sherman became our newest Patreon subscriber and I totally forgot to thank him and mention it!
I feel terrible I didn't immediately sing his virtues after he made the decision to help support the shows we do here at the Podfeed Podcast.
He went to slash Patreon and he committed a dollar amount that was right for him and his family and also showed his appreciation for the content we provide.
Also, the delightful Klaus Wolf went to slash paypal and he made a one-time donation to help the show.
He is an equally fine human being and I celebrate his virtues as well.

Security Bits — 8 January 2023

[37:14] Music.

[37:22] Well, it's that time of the week again. It's time for security bits with BartBooShots and we're going to be eating some vegetables today, it looks like, huh Bart?
Well, on the one hand, there's three deep dives. On the other hand, there's very, very little else.

[37:38] I think that's kind of what you like actually. I do like the chewy ones, but I'm sad about this first story. Yeah. So we need to revisit our discussion of the last pass breach. When we spoke about it last was about two weeks ago.
And at that stage, it was all pretty new. And my initial reaction was, okay, they have arrived at their worst case scenario, but that doesn't seem too bad.
Assuming you have a decent password, you should be fine. And I didn't, I really didn't want to be quick to jump to a conclusion. I would regret.
I would rather arrive at a more controversial conclusion slowly and carefully and considerably.
I have arrived at that conclusion. Let's review really quickly what we do know.
So what we knew last time was that they had lost access to some or all of the backups from some time at some point in history and that the only thing protecting those backups
was the users what LastPass called your last password, which one password users would call the master password, the password protecting your vault and that the vault contained a a mix of clear text.
So basically the metadata was in plain text. So the URLs and the usernames were in plain text, whereas the password secret notes were encrypted.

[38:52] So that's what we knew last time. And we knew that they had disclosed it, maybe not quite as quickly as everybody would have liked, but it appeared that they did responsible disclosure.
At first glance, yes.
That's what we thought. Yeah. So since then, two things have happened. More facts have come to my attention, And I have been listening to the well-reasoned opinions of others and, you know, taking them on board.
And I have changed my mind. I have, I have become much, much less. This is okay. And much, much more. This is not okay.
So we'll start with the easy stuff, which is the new information. So LastPass said in their disclosure that they were using 100,100 rounds of PBDSK2,
which sounded good to me, but mainly because...
I think you said the acronym wrong and I don't know what it means anyway.
PBDF password based PBK password based. Yeah. It's wrong in the show notes. as p, its password-based key derivation function.

[39:55] PBKDF2. That is the method of turning your password into the key that actually does the encryption. That needs to be difficult. Okay, and they used 100,100?
They said that if you had used their recommended settings, then your vault was protected with 100,100 rounds of PBKDF2. Password based PBKDF2.

[40:19] Okay. It turns out that actually the advice at the moment is to use 310,000. So even the vaults using best practice, not really that good a best practice industry wide.
It was what they were advising their users, but it wasn't actually best practice industry wide. That's 310,000.
But way, way, way, way, way worse is that they made the change from 50,000 to 100,000, 100,000 in 2018 and they did not trigger people's clients to upgrade people's vaults.
So people with a vault older than 2018, a lot of them are discovering to their horror that their vaults are only protected with 50,000 rounds, which is not enough. It's not nearly enough.

[41:09] So that's bad. I didn't want to make a strong statement last time because I wasn't sure of my homework.
Whether or not this whole thing of having the metadata in the clear was something inevitable and that all passwords shared, or if it was something unique to LastPass, and I am sorry to say it is absolutely, positively not inevitable.
It is absolutely positively not normal for cloud-based password vaults. It used to be normal when vaults were purely local files, but when other password vaults synchronize up to the cloud they wrap everything in encryption so that the metadata is encrypted too while it's in the cloud.
Because that way if the cloud gets breached it's safe.
The other thing that has come to my attention is that having the password be the keys to the kingdom is also not normal. It's also the old way of doing things from before the cloud sync days.
So- I thought that was the whole deal. If you had a long strong single password, That's what it was encrypted with and you were safe.

[42:21] That's only part of the story. So a well-designed password manager designed for a cloud world.
So in other words, not the old way where you had a local vault that you synchronized over Dropbox, but a modern password manager is cloud native, is designed differently.
So there's actually two things protecting your safety.
There is your password, and then there is a per device key. And that key is randomly generated and that key never goes to the cloud.
So this is why when you set up one password, they made you print out a PDF with a 2D QR code.

[43:03] Your recovery kit. That recovery kit is that key. That is that 256 bit key. That key is what protects your one password in the cloud.
If you had the world's dumbest password of open123, your vault would be 100% safe if one password was completely hacked.
If they lost everything, your passwords are still safe.
That is not true of LastPass. Yes. I had a vague feeling that was... LastPass were not best practice, but I wasn't sure so I said nothing. I've now done my homework.
They are absolutely, positively not best practice. have taken the old local model, shoved it to the cloud without adding the extra protection the other providers added before going to the cloud.

[43:52] And we didn't, that wasn't a forefront of mind. Maybe you've known it one time, but not.
It was in there and I had this nagging feeling that there was one password better, but I didn't want to say anything last time because the last thing I want to do is tell people half truths.

[44:09] Right. So I've now done my homework and won passwords were quite quick to crow about it. They have a very fun blog post, which I think gets the award for snark of the year.
The blog post is titled not in a million years and explains why it will take a lot less than a million years to crack your average last pass vault.
So that claim of, oh, your vaults are safe and it'll take a million years doesn't actually stand up to scrutiny in the real world. Unfortunately.
So where does it, I'm a little annoyed by the idea of one password crowing about anything here. This is a sad time.
This is like, they're not crowing. They're not crowing. It's a really well written blog post. It's very informative. Let me give you the impression they're being...

[44:54] Okay. You said snarky and it's a good headline. It's maybe I'll be, maybe I didn't express it very well. Maybe I didn't express it very well, but it is not, it is not a Nina Nina post.
Okay. It's a here's why we're different. Here is why we're different. And here is why you need to be more concerned than last pass are telling you to be, which is the two thirds of the article are why you actually need to be more worried about what was lost. And one third is, and by the way, if we were to be catastrophically hacked, here's how we're different.
And the key point they say is we designed our infrastructure on the assumption that we could get completely hacked. Therefore, what do we do to make that not be a disaster?
Therefore, we have not been, but if we were, then we would have this level of protection, which you don't have with LastPass.

[45:39] Okay. Okay. So let me see if I can say it again, because I talked over you a couple of times with questions, right? When I think you said crucial bits. So with LastPass, you have your last password.
That's what encrypts your data.
If you have a good 30 character upper lowercase numbers, special characters password, then it's encrypted with that and you're probably fine.
Fine-ish at least. Unfortunately, they can see this hash goes with your Gmail account and this hash goes with your GitHub account.
They have that kind of information, but they still can't bring in the hash. But if you had a bad password, then the encryption is not going to save you because it's not also encrypted with a private key like the way one password does it.
That is all correct. You have said nothing incorrect, but there's more. Okay.
If your vault is older than 2018, there is a chance that it does not have sufficient rounds of password based key derivation. Therefore, it is easier to crack than it should be by orders of magnitude.
So even a strong password is weak.

[46:47] Is it easier? Or does it magnitude? Or easy?

[46:52] It is within reach of I throw a thousand euro at this cloud provider and they'll crack it in a day or two. Depending on how long your password was.
No, no, no, no. I'm saying if you have 50,000 rounds, no matter how good your password is, it is crackable with reasonable resources.
Oh, geez.
Right. Because that one made me that when Steve Gibson said I have confirmed from actual users, there really are people with 50,000 rounds that my jaw hit the floor.
It's like, Oh no, that's just not good enough.
And Steve was also slow to report on this because he also didn't want to go off before he was sure.
So if you have had LastPass since before 2018, even if you've changed your password since then, it's probably still set to 50,000?
No, if you have changed your password, it seems to be that if you have changed your password, it will have redone it right because the new default is 100,000, 100.
But if you don't, if you had been using it since 2018 and haven't done anything, the the app won't have upgraded the rounds for you, as it really, really should have.
Like literally, the moment the software update hit the app, the app should have just re-encrypted. Because the moment you unlock your, the moment you unlock your vault, it's unlocked. So the app can re-encrypt it using whatever stronger algorithm it likes.

[48:20] And it doesn't disturb you in any way. Exactly, it's a zero user inconvenience. It should have just rolled forward the encryption.

[48:29] It just should have done that. There's just, there is no excuse for not doing that. It's not that, oh, that would have been awkward for users.
No, would have had no impact on users other than making them secure. So that is a colossal mistake.

[48:43] Now, the other point that I think I may have gotten a bit lost in our conversation is that humans are terrible at picking passwords, so password crackers are really good at guessing passwords that are humanish.
So even if you take five words from your favorite Harry Potter movie and make them into a 30 character password. The fact that you as a human picked five words humans are lucky to pick means you're nowhere near as safe as you think.
The computer has to pick it for you. That is what that is one of the magic things about XKPassWD.
The computer is picking for you.

[49:21] Humans just- Why? Okay.
So back when you explained how XKPassWD works and you walked us through all of the ways that you calculate entropy. And we talked about password haystacks from Steve Gibson and the logic behind it.
I remember you saying that just making it longer created the increased entropy.
So even if you put in repeated characters, that that still made it stronger. Why would me making up four words, five words, six words, why would me making it up make it less secure than the computer thinking it up.
Because you are human. We know how you work. No, no, you are human. You are not picking at random. Don't say no, I didn't say anything, Bart. No, no, but I'm correcting you. You said no before I said a word. Okay, you are human.

[50:13] I understand that. We know, and the password crackers are really good at this, we know the subset of all of the words on the planet that humans gravitate towards.
Yes. Therefore, when they crack passwords, they stay in the human bit, and that speeds them up by orders of magnitude.

[50:32] But the way you explained it was it's not like the movie the net with Sandra Bullock where they get one character and then they get the next character and then they get the next character anything like that so if i've got five words embedded. In a string with special characters or numbers and it's upper and lower case why is how on earth can they get to those pieces.
Logically because i'm a human they get to them. Faster than the get to a truly random password because those words show that into the bit of the search space that human ish.
So the password you say no the people wrap symbols around that and they know the people rap numbers around it so you you are in.

[51:13] You were in the bit of the search space that is not the worst place to be the worst place to be is open monkey. What you're in the search space of human ish so when they start to search they start with the really dumb passwords and they move forward.
And the last place the searches ever get to are the truly random passwords.

[51:32] So are you saying that just like using, if I used all lowercase versus lowercase and uppercase it's twice as hard, you're saying that the subset of say English words, if there's 100,000 English words but humans use 10,000 of them, I'm in one tenth of the search space?
Yes, exactly. And they know how to prioritize where to look.

[51:57] So the more symbols you throw in, you're still better, right? But if you think of yourself as being on a spectrum between terrible and wonderful, if the human has done the picking, it moves you down the spectrum.
It jumps you closer to where they're going to find you quicker.
It doesn't shift you to it's a disaster, but you're less safe than you think because you, the human are predictable. You've added a level of predictability.
If I've got a 35 character password with letters and numbers and special characters and upper and lower case and Allison chosen words, which I don't by the way, I use that.
Yeah, but that's how you do. But let's say I am not the low hanging fruit, but I'm not the highest hanging fruit.
Correct. Closer to the, I'm lower than the top of the tree.
Yes. Branch. So you are more secure than people who have shorter human pick passwords and having such a long human pick password puts you pretty high on the end of as human passwords go, you're good.

[52:52] But you are still way down the tree from random passwords. You're still in the bit of the search that they will get to quicker.
Okay. We can also say the same thing about one passwords password picker, correct?
They don't do it with as much entropy as you do in XKPassWD, but they will say, okay, I want words and it'll give you five words.
Yes, but again, they don't seem to do all of the different, they don't add all of the options, special characters.
Correct, but again, they're picking the words truly random from the dictionary, whereas humans don't.
Humans just are not random. We are terrible at randomness. That's what I'm saying. I'm just saying they're better than a human, but I think XA past WD is better than one path.
It's all on the spectrum. You're dead right. Yes, that's exactly the right way to think of it. There's not like good and bad. it's like terrible, wonderful and lots of stuff in between.
Yeah. So like if I ask it, tell it, the default is three words and it shows, uh, current and all capital letters dash surly dash Sundew.
Well, I probably wouldn't have picked Sundew, uh, or even current cause it was A and T, but it's just got special characters and words.
It doesn't have, and I can change the hyphen, but it doesn't have, um, any special care or any letters or I'm sorry. It doesn't have any numbers.

[54:13] Yeah. Which is why I really like the fact that I add numbers to the end of my my random passwords, I think that's just a nice little extra thing to do.
And it's not humany because humans pick on average two numbers, one or two.

[54:25] If human, human pick passwords either start with a one or two or end with a one or two. And if you tell them they have to use a symbol, it's probably an exclamation point and it's probably on the end.

[54:36] Humans are terrible, terrible, terrible, terrible. OK, so that's so far we have stayed in the land of fact.
Now we're in the land of observation and I'm going to do something I do very rarely. I'm going to give credit to Leo Laporte for opening my eyes.
So Leo Laporte made the really good point that although the disclosures from last pass on the surface look good, they say RSA 256, they say we're using 100,100 rounds of PBDFK2.
To me usually you're missing that kind of technical detail so my first impression was actually very good because they're actually giving us the technical detail.
But Leo pointed out that there are two things they did not tell us and they are simply the most important things to know.
The first one is so obvious I'm kicking myself.

[55:28] Who's backups?

[55:31] Everyone's back home. Most people's backups. They have to assume all because if it was some, they would have said some.
Yeah. I mean, that's, we're left assuming that right. Because you're dead right. Right. If there was wiggle room, they would have wiggled.
So there mustn't be wiggle room, but that's an assumption we shouldn't be making. They should just be telling us that.
But the second point Leo raised really made my jaw hit the floor from when.
They're backups. Yesterday's backup, last week's backup, last year's backup, 2017 backup, because they didn't introduce proper rounds of PBDF2 until 2018, so if the backup is from 2017, is it a full sequence of versioned backups?
Is there like a full version history for every person?

[56:20] When? When was that backup from? If I changed my password six months ago because I got scared after the first breach, am I okay because this lot of backups were stolen afterwards and therefore my strong password is protecting me?
It's vital to know what point in time these vaults are at because that will tell you whether or not you're safe.
What state was my vault in at the point in time that they nicked the backup from?

[56:43] We don't know. And they haven't given us a clue. They haven't even told us all the backups are less than a year old. Or all the backups are at least two years old.
We don't know. So that means your worst ever password in your entire history of being a LastPass user is what you have to assume is protecting your vault.
The worst possible PBDF2 setup that has ever existed on your account is what you have to assume is what's protecting your password.
So if you've been a long time user, you have to assume 50,000 iterations. In other words, you have to assume that no matter how good your password is, you're in,
big trouble if you've been using it for longer than 2018 because they haven't told you anything to put your mind to these.
I have a family member that we've been working on for about five years to convince to use a password manager.
This person agreed about six months ago.
And did it in LastPass. Well, that means they definitely have 100,000 rounds. Right. And I'm fairly certain they would have used a very long, strong password. I believe they very likely would have gotten it from XKPassWD. I don't know that for a fact, but I need to find out.

[58:00] In that case... Another family member who has definitely been in it since before 2018.

[58:07] Okay. So the newer family member, if you can verify that it's an XKPassWD password, they are are, they are in the category of best off last pass users.

[58:16] So if you think about it, you don't have to outrun the bear. You have to outrun everyone else.
The attackers have so many people to go and compromise at the moment that if you're not in the bottom pile, then why would you spend money trying to crack difficult ones when you can throw resources at it once you've cracked a hundred of them?
Well, that's enough to keep you going for a while. And then you might crack another few hundred next month and another few hundred next month and do your nastiness on those people.
So your second, your relative who signed up recently is in as good a position as I can imagine being as a LastPass user.

[58:51] Yeah. And then the other person is probably doomed. Unless LastPass release some information about when the backups are from, I think it's a case of saying at the very, very, very, very, very least email addresses and banks need,
to have their passwords changed and they need to change, change the password on their vault today so that they definitely have a hundred, a hundred thousand one hundred rounds and,
a strong password and then go to the actual websites for everything that has money and everything that gives you access to other accounts, ie your email addresses.
They are the two crown jewels.
If those can be fixed and if the password can be changed, then yes, they may have to to recover other accounts because they may end up losing something temporarily.
But at least if you have the email address and you have your money, you're not in an unrecoverable situation. Whereas if you lose your email address, you can't recover the other stuff.

[59:48] OK.

[59:51] I'm just very unpleasant conversation. This is a very unpleasant conversation because basically we're in the situation of there are bad options and worst options.
Here's the bad option.

[1:00:02] Right. Taking notes. The easy part.
The easy part is going forward if a family member says, what password manager would you advise? The answer is no longer LastPass. That's the easy part.

[1:00:17] Right. The, I'm also going to check and see how the one password, how big I can have my one password family and just start adding them in.
You can add. I will pay for there. you can add as many people as you like if you're prepared to pay. I think you get five of them for the standard price and then it's a per person per year edition. I think we have 10 in our family.

[1:00:39] Yeah, I will pay anything too. I think we have, oh, I have four right now, so that's fine.

[1:00:48] Oh, that's dreadful news. So one last question I wanted to ask you.
I have heard people who are reasonably intelligent folk on podcasts saying, well, the solution is don't trust someone else to host your vault. You should host it yourself.
My first thought is, I'm pretty sure that as bad as LastPass did this, they're still way smarter than I am.
Or the other way to look at it is there are people who are better than LastPass at this, but actually the real, at the nub of the question here is the fact that there are two risks to your data.
There are two equally important risks to your data. Risk one is someone else gets their hands on it.
Risk 2 is I lose access. If you choose to go away from the cloud the risk of you losing everything goes way way up.
So sure you have reduced one risk but you've massively increased the other so are you safer?

[1:01:53] I would argue most people the answer is no. Certainly friends and family whom your tech support for the answer is absolutely positive know they would not be safer without the cloud having their back.
If you're really geeky and you're prepared to take ownership, have at it.
But it is not a solution for the average person. But even as geeky as you are Bart, do you think you could do a better job of securing your password vault than LastPass?
I could do. I have no interest in spending my time doing it. I have better things to do in life.

[1:02:31] And but you're you're confident that you would never make any mistakes that would cause an exposure of your data.
If I was forced to do it as best as I could, it would take me a lot of time and effort. And I'm confident I could do it well.
But I have a life. I have a job. I'm not going to spend a few hundred hours engineering a solution and then maintaining it going forward.

[1:02:56] All right.

[1:02:56] Right. Right. And you're right. I probably screwed up too.
It's just even weird. Yes. Well, that's the part. That's the part I'm trying to get to is, okay, maybe I'm asking the wrong person, but you know, the, the typical Uber geek that is not a cybersecurity specialist, I just, I just don't know.
There is a lot of overconfidence in the... I mean, you got to be able to say PBK DF2 and know that in 2018, it, you know, I mean, You gotta know too much.
You gotta spend your life doing it. There are a lot more people who think they could do it actually cut.

[1:03:34] Yes, yes, that we can agree on. Okay. The phrase that leaps to mind, I'll end you on a cliche.
A little knowledge is a dangerous thing.
Mm hmm.

[1:03:47] 100%. Now, while the world was busy reacting to what is clearly a big deal at LastPass, other news happened and got swamped.
So deep dive number two is the first of those other stories that happened. We learned about a Twitter breach.
The Twitter breach actually happened about a year ago, Twitter didn't actually notice until last summer, and they kind of thought they got away with it but it turns out they didn't.
Jeez. So, what happened is, this time last year, there was a flaw in one of the Twitter APIs, which allowed an unauthenticated user to get information out of the API they should not have been given.
And this allowed them to make a request to Twitter's servers and say, is this telephone number a Twitter user?
And the answer they got back was yes and here's their username. So you could probe for the phone numbers that match Twitter accounts. So you know for example that AT&T use a certain range of cell phone numbers.
So if you throw 100,000 requests at this API with the range of telephone numbers used by AT&T you will end up with quite a lot of hits and then you build up a database of known,
mappings of Twitter usernames to cell phone numbers and they ended up with 400,000 such mappings.

[1:05:12] Thanks for watching!
This gives you a database which almost certainly contains celebrities, important people, or maybe just girlfriends people want to get revenge on and stuff like that.
So it's a database of 400,000 people whose phone number and or email address can be mapped to their Twitter username.

[1:05:34] That is the total of the breach. It is phone number and email address. So the biggest risk to regular folk, right, to most of our listeners, the biggest risk is if you happen to be in this bunch, the most likely outcome is that you could be targeted with an automated phishing attack that is equally sophisticated as would normally involve,
So an automated spear phishing attack because they have enough information to be more convincing. So just because something knows your secret, your phone number, which they shouldn't know, doesn't mean the really Twitter is what it boils down to.

[1:06:10] If you're someone important to be targeted, then the really big danger is a SIM swap.

[1:06:19] So if you are a celebrity, a political leader or a government official, it is worth the effort of doing a SIM swap against you to get into your Twitter account.
If you are someone who works for a major corporation, if you're Tim Cook or someone that's worthy of attacking.
And the other thing that's worthy of attacking is a cool username. There is genuinely hundreds of thousands of dollars of value in having a username like at Bob.
That is probably worth a few hundred thousand dollars. So if you have a nice Twitter username, you are as valuable to a cyber criminal as a celebrity.

[1:06:56] I'm missing one piece here, Bart. Okay. A fundamental piece.
Why is knowing my email address and my telephone number and my Twitter name in a combined thing? How does that make me a target for phishing?
Well, because you can send the fish that appears to come from Twitter that is extra convincing.
Because we can include in the fish. The fish can try to trick you into whatever it is they want to achieve. And they can make themselves look convincing by knowing your phone number, which is not public information.

[1:07:28] That makes them look like Twitter.

[1:07:31] But what can they fish me to do? Whatever. That is up to them to decide. My bank account. I mean.

[1:07:40] Maybe they want to see, maybe just want to get into your Twitter account because you're a celebrity or whatever, right? Okay. That's why I'm trying to figure out. That's the main thing.
Possibly. I am not going to say that I am as imaginative as a bad guy.

[1:07:53] Okay. It is extra information they can use to make it appear like they are Twitter. What you then do with your ability to impersonate Twitter, that is up to the imagination of the attackers.
The most likely target is your Twitter account. The most likely thing to do is to attack the Twitter account.

[1:08:13] But you could use it as some other way of getting confidence. If that person has a blue tick, then they have a financial relationship with Twitter.
So then you could use it as a way of getting at their financial details. Oh, we've a bit of a problem processing your credit card. What's your what's your what's your full credit card number ending in four three two?
You see the way it can be coming into something, right? So it is an in they should not have.
It is a helping hand up to attack you that they should not have. And it may catch you off guard because they know something that you think is secret, it makes them more believable.

[1:08:46] That's always we humans, we fall for things. this makes it easier for us to fall for things.
The SIM swapping attack is a much, much, much bigger problem because that just bypasses two factor authentication.
So if you're, you know, at Joe Biden or whatever, I really, really, really hope you're not using SMS2FA because the real takeaway here is if you're still using SMS space two factor auth, stop.

[1:09:10] Because then if someone knows your phone number, they can sim swap you. And sim swapping is available as malware as a service.
Like the cloud, the bad guys have cloudified themselves fully.
You can get ransomware as a service. You can even get swatting as a service. You can get people physically attacked as a service. You can get sim swapping as a service.
So if you are valuable enough, then it's a matter of the amount of money to sim swap you is a hundred dollars.
The amount of value in selling your username is $100,000. Therefore, it is financially viable for a bad guy to sim swap you if you have a cool username.

[1:09:48] Right, right. I know two regular folk, I mean, you know, podcasters of our level of fame and fortune who've had been sim swapped and boy, what a mess.
It's really hard to fix.
It's really hard to fix and it's really real. Now the carriers are catching up, but they had a long way to catch up from.

[1:10:08] Long way to catch up from. And before Elon broke Twitter and fired everybody, it was really hard to get anybody's attention at Twitter to help you. Yes.
And I can't imagine that's gotten better. I don't think so.
So that takes us to deep dive number three, which is a GDPR story. So on the whole I think most people are quite happy about this story.
So Meta have been fined 390 million euro by the Irish Data Protection Commissioners for not getting consent for ad tracking.
So for sending you... I'm so sad Bart. This is terrible. Poor Meta.
Poor Meta. Breaking my heart. So the bit that makes your head immediately explode is the next thing I'm going to say.
Obviously Meta are appealing the decision. That goes without saying.
Do you know who else has filed suit against the decision? the Irish Data Protection Commissioner.

[1:11:04] Who issued the ruling have filed a court case against the ruling. That is weird.
But it does make sense. Okay. Okay. Sure.
So I am going to say, if you really want to understand what's going on here, there's a podcast episode, a certain Alison Sheridan and Bart Buchat recorded some time ago, Chit Chat Across the Pond episode 534, where the two of us go through exactly how the GDPR works.

[1:11:31] But for our discussion today, we don't need to know everything. What we need to know is that for something to be legal under GDPR, sorry for data to be collected legally under the GDPR, you have to be able to map that data to one of six possible legal bases for holding the data.
So the basis the GDPR prefers you to use is consent.
Just ask.
If you've asked for it without lying or cheating, then you can do what you like because you've asked. So the GDPR really just wants you to ask.
If you're not going... Well, and they say yes. Correct. Actual, genuine consent. Consent. Informed consent.
Okay. So that's legal basis number one. If you can get consent, you are in the clear for the GDPR. The other ones that are basically excuses for not getting consent.
So legitimate interests, you basically have to argue that you have a legitimate interest. A classic example would be web servers log IP addresses. IP addresses are technically classed as PII. If you're running a website then IP addresses will be in the logs, that is a legitimate interest.
That's just, okay, that's how it is. obligations would be I have ordered a toothbrush.

[1:12:41] You have my address on file so you can deliver me the toothbrush. Because we have a contract to exchange toothbrush for money, therefore I need to know where to deliver the toothbrush in order to complete this contract. That is a contractual obligation.
So you don't have to get my consent for my address as part of the contract we have between us.

[1:12:58] Legal Obligations. The law says I must do X. Wow, must follow the law. So that's a reason for holding Gator.
Vital Interest is a more difficult one. Basically, if I don't collect this, something terrible happens. And now you're into, let's have an argument in front of a judge.
And public interest is even fuzzier. If I don't collect this, bad things happen to society. And you want to have a pretty robust case to make that one stand.
Right? So they're on a scale from consent easy to public interest really hard to prove. So the last thing meta want to do, and the reason they are completely against app tracking transparency they do not want to ask for informed consent.
They are doing everything they can to avoid having their ad business on the basis of informed consent.
They believe... Because we say no. It's been proven that we say no when we're asked, right? Based on the app tracking transparency data from Apple?
Yeah. If you actually ask people the question honestly, they do not in fact want to be tracked.
So Meta's argument is that they have a contractual obligation to track you.

[1:14:11] You have agreed to use a website that uses ads and the only way you could possibly make money from ads is to track people, therefore we have a contractual obligation to track you.
Okay, that is not a valid argument in my opinion.
Well the thing is the Irish Data Protection Commissioner has agreed with that argument.

[1:14:32] Really? But, under the GDPR we need to have consistency across the whole EU. So the reason the Irish Data Protection Commissioners are in the mix here is because Facebook's headquarters happens to be in Dublin.

[1:14:44] Their European headquarters. So the Irish Data Protection Commissioners go first. They write a ruling, but that ruling doesn't go into effect until it has been handed to all of their counterparts in every other country where Facebook does business for them to comment,
on the ruling.
And they can come back and say actually we disagree, we want you to change this. And 99.9% of the time this is like I want you to put an extra sentence here that says this.
Actually I wish you would rephrase this. Most of the time these comments are utterly boring and banal. This time that is not what happened. Five countries got extremely cranky with the Irish Data Protection Commissioners ruling.
And they objected fundamentally to the very concept that it is a contractual obligation to track people.
And so when there is a substantive disagreement there is like a board of data protection commissioners who sit above all of the data protection commissioners and so that board had to rule.
That board had to look at the question and rule.
And that board ruled that it is not a contractual obligation, therefore consent is required. And the way it works is that if that board rules the Irish data protection commissioner is bound by that ruling.
So they have to issue a ruling in their name that has been dictated to them.
Yes. So they issued the ruling and then immediately filed suit in the European court saying we think that the board overstepped its authority.

[1:16:12] That is why they are appealing the ruling. They're not appealing the ruling. They're appealing the board's ability to rule at all on this matter.

[1:16:20] So what's their basis for that? They say that they get to decide what is and isn't contractual obligations, so that's not something that can just be dictated to them by the board.
I haven't read the exact legal wording of their, but basically they think that the board has overstepped its authority.
But the board is there to do exactly that and the rules say they can do that. Correct. So... I am now.
This is the facts of the matter. I am now digressing into a panel put on birdhat. Yes, I'm now going to give you my reading of the situation as a person who is into privacy living in Ireland and aware of how the GDPR works,
which is probably a small subset of people on planet earth actually never think about it.
Sure. Because I was forced to do a training course on GDPR as part of my role in work. I need to know this wasn't fun, but it was kind of interesting. I'll be honest. So there is a long running issue with all, not all, many data protection
commissioners across Europe being very, very cranky with the Irish data protection commissioners.
Because Ireland has a very friendly tax regime, there are many major multinationals housed in Ireland. So Twitter, Meta, Google, all of these people get Apple. Yes. All of these people get regulated in Ireland by the Irish Data Protection Commissioner for GDPR.

[1:17:46] And that means that the Irish Data Protection Commission have a very big role. Now Ireland likes to attract those companies to Ireland with the friendly tax regime. If the Irish Data Protection Commissioners got too hard-nosed they would drive away these companies. So there is,
an amount of political pressure on the Irish Data Protection Commissioners to be friendly to the the large companies. The commissioner would argue it has no effect on her. I cannot prove
it does, but it can't not affect someone. Right? How could it not affect someone? They're all human beings. So that is the situation in which this is happening. So Ireland is well motivated to not go too hard on meta.
The other data protection commissions in Cotman, like France and Germany, they have a much more hardline view of privacy than Ireland does. And they want to see the American multinationals really regulated strongly. They want to throw the book at them.
And so they want to rule really strongly for GDPR. And the Irish data protection commissioners are ruling really weakly and it is making them spectacularly cranky.
So cranky that all of this becomes a moot point in a year and a bit.

[1:18:59] Are they losing the ability? Under the Digital Services Act, any company that meets sufficient size goals, which Meta,
absolutely does, ceases to be regulated by National Data Protection Commissioners and,
comes under the direct authority of the European Commission.
In other words, the DSA is removing Ireland's jurisdiction over multi-billion dollar companies.

[1:19:31] Interesting. And that is purely because people are so cranky at the terrible job they feel Ireland has been doing.

[1:19:40] Interesting. Wow. So the appeal will certainly go longer than until this act is in law, right? Right. At that point, do we start over?
When the rules change and the commission become the authority clearly in charge, the commission then have to go and reevaluate and the commission have to make a ruling.
I guess they could copy and paste, but they do still have to go through the work of, because then they're going to be applying the DSA to it, not the GDPR. Right? So it's a new standard.
So I think the most realistic outcome is this drags on until DSA comes in.
And then under DSA we get to start all over again with the Commission mapping what meta do and comparing it to the rules set out by the DSA and then deciding whether or not they preach those rules.

[1:20:30] So long run, I think we're going to end up with Mesa having a problem, but that is probably three to five years in the future.

[1:20:37] Yeah.

[1:20:39] That's okay. I can wait. Yeah. But anyway, revenge is a dish best served cold. Yeah. So that is why Ireland is simultaneously suing Facebook and suing the people making them sue Facebook.

[1:20:53] It's a bit of a headache. You say there's probably three people on the planet that could have explained that entire thing. It's quite the, yeah, anyway, fun. So moving on to plain old notable news. Can I interject a story? Sure.

[1:21:07] So we talk, you don't know anything about this, but we talk a lot about how to keep elders safe and people, less technical people safe online.
We got an email from Steve's parents.
It said, and I quote, we just spoke to Rick in San Antonio, Texas, and indeed the account was locked because of three tries on Thursday. He gave us a temporary password and we will
use it to change the username and password. Sorry to bother you, but hopefully we'll do it properly. No other context whatsoever. Apparently they had started an email to describe a problem, but they never sent it. And they sent this. Steve called him. Turns out they,
got an email from their bank. It said they tried to log in too many times. And it said to call this number.

[1:21:57] Not the number on the card. They called the bank. They changed their password.

[1:22:02] But guess what? It wasn't the bank. They did not call the number in the email. They pulled out one of their bank statements.
They found the phone number. They listened. They did everything 100% right. And it was true. It was from their bank, but they still didn't trust it. And they won security for today, I think.
Darn, Tootin. That is fantastic. And that is the perfect response. They're in their 80s and they are all on top of it.
They are to me, they're like the poster child. I am so proud of them. I don't know that I would have done it better myself.
I just I just thought that was a good news story. Maybe I should have saved it for palate cleansers, but I couldn't wait.
I'm going to return to that story shortly because there's a place where I want to just underline it.
But that's perfect. That is 10 out of 10 gold star.
That is perfect. That's absolutely perfect. So in the United States, there is a class action lawsuit against Meta.
It was filed against Facebook, never filed against Meta. About the whole Cambridge Analytica thing.
So it's a class action suit. Meta have agreed to a settlement of $725 million. It has not yet been approved by the judge.

[1:23:17] Wow. So that is a record setting settlement, if it goes through.

[1:23:26] We shall see. Okay.

[1:23:31] The next two stories have fire extinguishers. So there was a lot of strum and drying on the internet about Chinese researchers having destroyed all of cryptography.

[1:23:42] Even the most generous interpretation would never have got you quite there. What they claimed was that they had found a way to break RSA encryption.
Now, RSA encryption is really important. It is one of the encryption schemes used very widely, so it's not nothing. But it's not all of encryption. It's only RSA. There are lots of
other types of encryption in use in the world too. If they had been correct that they had found a way to break RSA, then it would have been a big deal. So the reporting was wrong.
They said they did it with quantum computing, Bart.

[1:24:17] Well, they said that a quantum computer could do it quicker than we think a quantum computer could. But their whole paper is based on an assumption.
So we have, there is a quantum computing algorithm that we know is well founded and we know its effect on RSA.
And that algorithm would not cause a calamity.
There is another proposed algorithm that is very controversial but a few people think might be able to break RSA thousands of times, like many, many, many orders of magnitude
faster, like infinitely faster. But that's, that's, you know, that's I believe Einstein was wrong about gravity territory of math. That is, that is not a valid assumption to base a research paper on. So when you pull that assumption out from underneath the research paper, everything else collapses in a heap.
I cannot... So there's a theory that an algorithm could exist. Well, no, there is a proposed algorithm which the proponents claim does this magical thing, but that is not proven. That is not even vaguely proven. That is very controversial.
So that is the underpinning of the entire paper by the Chinese authors. So when you pull that underpinning out, because it's not solid foundation, I can't say they're definitely wrong, but the consensus opinion is there is no basis for this article.

[1:25:39] Okay, because I saw that article and my first thought was, uh-oh, what about those last pass vaults, even with long, strong encryption?

[1:25:48] Yeah, so for now, that is not the end of the world. Now, there's a link in the show notes to an article from, because something else happened, right? That got really lost. But the US Congress
passed a bill which asks nicely that the US government work with industry to preemptively upgrade encryption to be ready for quantum computing.
I was rather hoping the bill would mandate actual changes by actual dates. It fell short of mandating and basically went, we really strongly suggest.
But look, strong suggestion is still better than nothing. So the bill existing is no bad thing.
And Naked Security did an article about the bill, and this happened before the Chinese paper.
And in the start of that article, Make It Security lay out what it is quantum computing actually can do when it gets real.
So there's two algorithms, a Shor's algorithm and another one I just don't remember right now. The article actually explains what quantum computers will and won't break.
So it's actually a really good article, even though it's about a law that's a bit, ah yeah, grand. Why not? Why not say it's a good idea? It is a good idea.

[1:27:02] Like they wouldn't have thought of it on their own as a good idea. Exactly. Exactly. So the law is pretty weak, but the description in the article is fantastic.
It's probably the most human friendly description of what quantum computing is on target to deliver, I have read so far. So I've bookmarked it for future reference.

[1:27:20] Another story that on the surface seems terrifying but isn't. There is a, or there was a critical vulnerability in the Linux kernel's implementation of the SMB
protocol, i.e. the Windows file sharing protocol. That was, now from this point on, it's all fire extinguisher. It was responsibly disclosed on the 22nd of September. The actual bug December,
not September. Okay. Yes. That's what I certainly tried to say. Um, the bug was actually patched in.

[1:27:55] Either July or August. I don't, it was the middle of the summer. The bug was actually patched in the middle of the summer and it's in the kernel implication, sorry, implementation,
of SMB. That's not what 99.999% of us use. We use something called Samba, which is a third party library that has existed for decades. So all of our NASs and all of our Linux boxes, they're
almost all using Samba. The kernel level support for SMB is really, really new, really, really cutting edge and almost unused. The only distros that use the kernel SMB are the ones being really
actively patched where everyone is updating all the time because you're on the bleeding edge.
So if your device is new enough to be using this, it has definitely been updated since the summer.

[1:28:48] So in reality, you're grand. If your stuff is old, it was never affected. If your stuff is cutting edge, you've already got the fix months ago.
So you're good. Excellent. I like that one. Now, the next story is where we're going to tie back to your very happy story. So it's actually, let's make it happier.
Ukraine, while busy fighting a war, managed to find the time to destroy a ring of scammers who were doing those phone banking scams.
So 40 people were arrested in an office where they were doing a fake phone banking scam, which is great.
But the naked security article is way more valuable than just that. It actually starts by describing what is currently being done by bank scammers, how they are currently tricking people.
It's a fascinating read for the telltale science of what they're doing right now. And the reason I was sort of saying, oh my goodness, was it really the bank they called Because what you're describing, that initial communication being, we have detected a security problem, is the current modus operandi.
And as the Naked Security article put it, it is technically a true statement. The person telling you your account is under attack is the person attacking your account, but your account is under attack.

[1:30:03] And one of the techniques is that the, you know, the way if your credit card gets attacked, you get a new credit card number.
Right. They are saying that if your bank account gets attacked, this is a lie, this is not true, no bank works like this, right? Let me just underline that. What I'm about to say is the fraud. They tell the victims of the fraud that your account has come under attack, therefore we have issued you a new account.
We need you to transfer your money from the hacked account into the new account. The bank details for the new account are X. Those are the bank details for the bad guys.
They are walking you through transferring your money to the bad guys. And apparently they have the nicest phone manner.
They are the most responsive support people you have ever come across.
They will give you a phone number and encourage you to phone back. They have given you the phone number and they will encourage you to phone back and they will answer promptly.
And they are really good at making it sound like they're confirming information you have actually given them. So they'll say, yeah, I just need to confirm that your first name is.

[1:31:12] And they get you to say it and go, yeah, great, that checks out here. Great, great, great. And so they're just really good about pulling information out of people.
And it was a fascinating read because, of course, the attackers are always changing their tack because the defenders know the tricks. So it was actually really good to get a read of what's currently the norm for evil people.
So I don't think you said it, but from what you wrote in the show notes and just scanning the article, the reason they know all of this is when they when they busted these 40 people in Ukraine,
or Ukraine busted these 40 people, they got in to see what their scripts are and how they're doing it.
Their playbooks. This is the playbooks by the scammers were uncovered. Yes, and the Naked Security article actually goes further and they also describe other playbooks used by other criminals. So the Naked Security article says what they were,
Ukrainians were doing and also add more context, which is why it's such a good article.
Maybe you should be suspicious when the customer support person is super patient and not at the end of the rope. I'm afraid to say that actually might be a good tell, Which is depressing in all sorts of ways. But anyway, let us move on to happier things.

[1:32:23] I have a top tip for you. The good people at Intego have given one of those nice happy new year things, 10 things you can do to improve your privacy and security on your Mac, iPhone
or iPad. None of them are earth shattering. But you know something, I bet you most people are doing not all of them. So why not have a look? See if there's something you can do to improve your security at the start of the year.
Or at the very least... Or at number 3, only change passwords when needed.
I'm so glad that NIST have finally, finally told everyone, don't make people change their passwords.
It will make them less secure. Thank you, NIST, for making that official. Every time someone says, oh, your password expires, I go, haha, NIST says that's a terrible idea.
And then I make it go away. It's great.
And that brings us on then to, oh no, I have an interesting inside article.
I didn't cover this on our show last month because I don't do rumors in my Apple show. So why on earth would I do rumors and security bits?
The whole point is we're supposed to be relevant and actionable here.
But there has been some interesting reporting about Apple making moves to start supporting third party app stores on iOS, because that is going to be required of them by 2024.

[1:33:34] And a lot of people... In the EU. Correct. Because again, our friend, the DSA, the Digital Service, sorry, that's the DMA, the Digital Markets Act, the close cousin of the DSA.
Because they're a market, it's the App Store. So we know that that law is coming.
What we don't know is actually what Apple are actually going to do. So a lot of this is still fuzzy. And there's been an awful awful... So Mark Gurman wrote an article leaking the fact that Apple have dedicated a team of engineers and they're proactively working towards this requirement.
And there was a whole bunch of speculation. So the internet went mad with all sorts of silly, silly quick takes and nonsense. But amidst all the nonsense there's a little gem I think is worth reading.
It's an Apple Insider article and it actually lays out in detail and it's very clear to say what we don't know.
But it lays out the things to watch out for as the facts begin to crystallise around this upcoming thing. Like we know this is coming by 2024 so something is going to happen. So what should we be looking for? What are the legitimate concerns?
It's just the most thoughtful article amidst a whole bunch of nonsense. So I thought if anyone wants to do a bit of extra reading, I definitely would recommend this as a good article to read if you want to be informed on the whole concept of Apple being forced to do third-party stores.
Interesting. Should I change the show notes to say digital markets act? Because it says digital services act right now.
You probably should actually. Yeah. I obviously got them mixed up because the one up above is the DSA.

[1:35:03] Right, right, right. The metal one was DSA.

[1:35:07] And then we get to go onto palate cleansing. Two from me this time. So again, on a similar note, so there has been 2022 was the year of generative AI.
In other words, getting AI to make things from scratch, which is very, very different to what AI was doing before.
Telling AI to make my photograph look nicer is a very, very, very different thing in every possible way, technologically, theoretically, than I have a blank slate I'm going to say, dear computer, make me an image of. That is fundamentally different.
Dear computer, write me an essay in the style of.
So generative AI was the big thing of 2022. And a lot of people are extrapolating forward from what we have now with chat GPT and stable
diffusion and all these things and projecting forward this dystopian future. And Ezra Klein has a podcast where he gets very smart people on and they have really nerdy conversations that go
on for it. They're not short. This is a podcast you settle into. It's a one cycle podcast is how I think of it in my mind. Right. This is a discussion about what's, what are the limits of what we actually have and it puts into context everything that happened in 2022.
And it is by far the most intelligent conversation on the topic I have come across in any format, whether it be spoken word or written.
I learned a lot.
I am way more intrigued and way less panicked.

[1:36:32] Oh, interesting. So yes, we are doing cool stuff, but we are currently in the honeymoon phase where we think these things are actually more powerful than they are on cooler reflection. While they are cool and while they are useful, they are not the end of every, they are not the end of humans.
It's a really good take. I mean, it's very hard to summarize an hour and something conversation of really intelligent people going on to subtle points. But trust me, I have not seen anyone do a better job of this discussion.
So, I thought it was worth linking to this audience because where the hell do people go like these things, right? Right, right, right. And then the last one is slightly selfish but I don't think I'm alone. Apple killed Dark Sky on New Year's Day.

[1:37:16] And Dark Sky has been a beloved weather app for people who live in places that it rains. I'm not sure it was ever all that high on your list.
I know you've had a bit of rain the last couple of weeks which has changed your outlook a little bit, but on the whole, rain is not your most regular problem.
So you probably weren't a Dark Skies addict. I have been a Dark Skies user for ages and ages and ages, and when Apple killed it, it made me very sad. But, oh sugar, I forget who it is. The blog is Oh sugar, I should have checked the person and put their name in too.
Anyway, it's a review of the best candidates to replace Dark Sky, not from the point of you being an exact clone, but from solving the same problems. If you want an exact clone, the answer is very straightforward.
Carrot Weather.
They have released a new theme that is Dark Sky.
It's got nicer graphics, but it is Dark Sky. And you just, you pay yourself an annual subscription and you get to keep Dark Sky.
Like they have just copied and pasted. To be clear, everybody's saying Apple killed Dark Skies.
They kept the technology of Dark Skies and created an API that others could adopt, which Which is what Carrot Weather did.
Yes, and they also included the data in the Apple Weather UI, but Dark Skies Magic was a two-parter. So the part that Apple have saved is the data.
So the algorithm to figure out are you going to get rained on.
That bit is incorporated into Apple's tools, it's now part of Apple's Weather app. What Apple did not do was inherit the very easy to use UI.

[1:38:45] Sure, sure, sure, but others can.

[1:38:48] So it's not as deaf. They got rid of the UI, but allowed others to use the API in order to make a good UI. Correct, correct. Yes. So what I guess from the point of view.
Sucks to be Android.
That's where you really care.

[1:39:05] Yes, and I yeah, I've had a lot of Android friends going. So what do you recommend? Well, I have found that the only other apps I like are iOS only. So terribly sorry, but I actually don't have an answer for you. That would anger me.
Yeah. So basically, if you want to look at all of the candidates, this blog post does a great job of laying them out where the strengths and weaknesses are. Basically there's two clear winners.
There's carrot weather and hello weather. Carrot weather is the best clone. If the old way of showing data clicked with you, if your brain liked the way dark sky showed information, you will love carrot weather.
Because it's the same thing. If you are trying to solve the same problem but are open to a different way of visualizing the same data, then actually hello weather is probably a better interface.
I think it actually shows more useful information more quickly with less clicking, sorry tapping.
So I've actually installed both and I haven't decided which one gets to stay forever, but for this year I've paid for both.

[1:40:07] So I now have two subscriptions instead of one. But for now I'm happy to go with carrot weather and hello weather and by this time next year I guess one of them will just not be renewed.
But anyway. So to quote Leo Laporte again, on MacBreak Weekly we had a really interesting discussion with the other three guys on the show.
And one of the things they quoted was a Slate article that I'm going to put a link in the show notes to, the world's best terrible weather app.
And it was talking about dark sky.

[1:40:40] It.
It was really interesting. Something I learned from it, maybe you know this, but weather apps like the Dark Sky and the API and Carat and all the others, they take images, satellite images and project forward what's going to happen.
Yeah. What a meteorologist does is uses physics models to predict what's going to happen.
So that's why something like Dark Sky or Carat Weather or even the Apple Weather app can tell you, Is it going to rain when I go on my cycle in the next 15 minutes?
But they're really bad at telling you what's going to happen in three days because projecting forward doesn't work when you're just using images.
And I never caught that subtlety that that was that vast difference between the two.
Not that meteorologists are right most of the time.
99.9% of the time it's a seamless thing, right? Because if you use dark sky, the hourly forecast is done by taking the images and projecting them forward and the what's going to happen in three or four hours is done based on meteorology.
And so the dark skies app shows you both. No, no, it's only the rain prediction that is, um, that is done by the, like dark sky will tell you the weather next week. It is not doing that by projecting forward the current rainfall radar, right? It's doing traditional meteorology for the future.
Like there is a 25% chance of rain next Thursday.

[1:42:00] But what's really funny is that there are times when the meteorologists and dark sky disagree.
And so in one part of the dark sky UI, it's showing the weather that came from the meteorologists and in the other part it's showing its own prediction.
So you can simultaneously see 100% chance of getting rained on in one part of the UI and a few pixels away, 0% chance. Because the two data sources sometimes catastrophically disagree.

[1:42:29] So I am not going to declare who is right. I'm not going to take an opinion here.
But the article in Slate says that it is not using any meteorology in Dark Sky. I am 99% sure it says for its rain prediction.
Dark Sky simply monitored changes to the shape, size, speed and direction of shapes on a radar map and fast forwarded those images. It wasn't meteorology, it was just graphics practice.
Okay, that is missing the context of for the structure. The radar map was the forecast.
Yeah, so Dark Sky also incorporated normal data because otherwise it could only tell you the next hour or two and it couldn't tell you anything more.
Dark Sky absolutely, I know for a fact Dark Sky incorporated other weather data too because it used to tell you in the UI where the source was for the other metadata, for the other data.

[1:43:19] The projection Darkseid had two things that showed me. Like I said, I'm not going to call it. I'm just going to put a link to the article and.

[1:43:27] No, no, it's a great article, by the way, right? Because the magic sauce of Darkseid, which did not exist before Darkseid, was am I going to get wet 45 minutes from now?
There was no one telling you that. Right. And they had the genius idea that the wind doesn't change often. So 90% of the time, if I just move the pixels in the same direction they've been moving, it will be right and it is.
So 99% of the time, yes, I have to laugh. Kyle was out here, Kyle moved to Texas recently and you might have heard there was significant weather events over the holidays and he was watching his weather station and it said,
it said the wind is coming from the, from the west, from the west, from the west, from the west, north, and the temperature dropped 40 degrees in 40 minutes.

[1:44:17] Okay.

[1:44:17] That's called a weather front. Wow. It was like Canada's coming.

[1:44:24] That is amazing. That was that one percent. I mean, I've got a copy of the graph.
I'll send it to you. It's just hilarious because it goes, you know, the weather direction change is commensurate with that temperature change. A much more common flow with dark sky, which I find is great fun.
So I really got to know dark sky because it's been my weather app for years and I do a lot of cycling, but dark sky is useless where I live if the wind is coming from the south,
from the east, southeast, because the Dublin mountains are east, southeast of me and they have terrain effect rain.
They make rain. If you have a wet wind blowing from that direction, the mountains push it up and it falls as rain. That rain, if you fast forward the radar map, the rain doesn't move. And Dark Sky moves it with the wind.

[1:45:12] But it's not being moved by the wind. It's being made by the mountains. And so Dark Sky tells you there is a clearance on the way in 15 minutes.
It never comes.
It tells you you're going to stop getting wet and you keep getting wet.
Hate that.
Anyway, well, this weekend weather concludes. It's important to some of us.
We don't all get what are the low, low, low, no, morning low clouds. Morning low clouds followed by hazy afternoon sunshine.
Thank you. Thank you.
Thank you. Rinse and repeat. Command C, Command V. There we go. Done for the year.
Exactly. I picked a really good time to be sick. We had about three inches of rain in a week and a half, which is massive for us. I think our non-drought rain is about 20 inches a year, something like that.
22. Goodness me. That's a substantial percentage of the rain for the year.

[1:46:11] Geez. You don't know the clothes for it either. We got lucky. Northern California was a mess. Yeah. Nothing is prepared for that. So we just stay home. Sprinkling! Sprinkling.
Yeah. I was going to say if I just stayed home when it was like that, I'd never leave. I'd just be here. Exactly.
Alright folks. Alright. Well this was a good episode. Indeed.
A nice one to start the year off. Mostly, mostly, yeah. Mostly fun. Anyway, you know what to do folks. Until next time, stay patched so you stay secure.

[1:46:38] Well that is going to wind us up for this week. Did you know you can email me at allison at anytime you like and you know when you would like?
You would like to send in recordings for Bart and Alistair and hopefully some text to go along with that so we can do a blog post. Not required but a lot of people do appreciate that.
Anyway you can do that for the next week or so and then it's gonna be really hard to get through to me so hopefully you won't send anything while I'm gone. Let's see you can follow me on Twitter at podfeed you can find me on mastodon at podfeed at Chaos.Social.
If you want to join in the fun of the conversation, get answers to your questions like the way Alistair answered me when I was asking about what to do with that SVG, you should join our Slack community at slash Slack.
You can talk to me and all the other lovely NoCellaCastaways.
Remember, everything good starts with You can support the shows like Russ Sherman did at slash Patreon, or with a one-time donation like Klaus Wolf did at slash PayPal.
And if you want to join in the fun of the live show, there will be one more live show before we leave. There will be one on January 15th. There will not be one for two weeks after that.
You go to slash live on Sunday nights at 5 p.m. Pacific Time and join the friendly and enthusiastic no-cell phone.

[1:47:50] Music.